Proactively identify service issues

Effective automated incident management depends on the quality
of monitoring and event data used to detect and respond to
incidents.

Filter critical from noncritical information
with automation so staff can focus on remediation.

Effective incident management automation begins with the ability to
separate the “signal”—the monitoring and event data that points to
potential disruptions in your business
services—from the “noise”—the alerts that reflect noncritical
information about the state of your services.

To separate the signal from noise, you should implement a filtering
process using the ServiceNow Event Management tool. The steps for this
process are outlined below but you can also follow
them using the guided setup within the tool.

Configure a MID Server to receive and process events – The
MID Server (for management, instrumentation, and discovery) is a
Java application that runs as a Windows service or UNIX daemon on a
server in your local network. It facilitates communication and
moving data between your ServiceNow instance and external
applications, data sources, and services, including your sources of
alert data.

Configure event field mappings and alert binding to manage alert
generation – Event field mappings are rules that are used to
map values from specific fields to values in other fields. These
rules apply after event rule processing and just prior to alert
generation, for example, to map event severity fields from a
monitoring tool into your ServiceNow severity values. Alert binding
automatically binds alerts to CI information from the CMDB. When
these two things occur together, they ensure that the alert data is
both consistent and clearly maps to CIs.

When you complete these steps together, there’s less event noise
generated by third‑party monitoring tools, and you create actionable
alerts to help your IT organization resolve service outages.

Events are processed through filters (via the MID Server) that
normalize and deduplicate incoming event streams that generate alerts,
reducing noise by up to 99%. You can set this up for discovered
business services, manually defined business services, technical
services, and alert groups.

When an event from an external source is identified, Event
Management locates the CI information to generate an alert, per step 3
above. This CI information is stored in the CMDB through Service
Mapping, Discovery, manual entry, and third‑party sources.

Service Mapping provides the ability to correlate alerts to relative
service impact—and if you have enabled Service Analytics, you’ll find
additional correlated alert group and root‑cause analysis information
to help you drive remediation and resolution. Figure 2 depicts the
Event Management process flow.

Figure 2: Event Management process flow

Once configured, ServiceNow Event Management enables IT operations
teams to view the impacted services and related alerts in a single
console, like the one shown in Figure 3. You can select a service in
the dashboard filters to show only relevant alerts, or you can select
an alert to highlight the impacted services.

You can also view services based on their business criticality,
severity, and cost—this helps with prioritizing your remediation and
resolution efforts. When you drill into a service, you can
identify the probable cause of an impact simply by looking at it.

Autogenerate and assign high‑priority incidents based on severity
– This requires clear prioritization and escalation rules, as
described in Stage 4.

Associate alerts with relevant knowledge base articles to support
resolution – To do this, you need a process for effective
knowledge base maintenance, as described in Stage 4.

You can also define alert rules to present automated remediation
options through integration with ServiceNow Orchestration.

In all cases, base your alert trigger automation on a clear
understanding of how your incidents are prioritized across services,
how incidents should be optimally assigned and escalated, and how
incidents should be remediated ideally based on historical data.

EXPERT TIP

Use subject matter experts—typically technology asset owners—to
define a set of remediation options you can present to service desk
staff for the common incidents. This will reduce the time from alert
notification to response and resolution.